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April  30,  1996 

Mr.  Harry  Koch 

ESC/ENS 

5  Eglin  Street,  Building  1704 
Hanscom  Airforce  Base,  MA  01731-2116 

Dear  Mr.  Koch: 

This  letter  contains  our  R  &  D  Status  Report  covering  the  period  from  Jan.  1,  1996  to  Mar. 
31,  1996  for  Contract  F19628-95-C-0118,  entitled  “Applications  of  the  Theory  of  Distributed  and 
Real-Time  Systems  to  the  Development  of  Large-Scale  Timing-Based  Systems”. 

Technical  Progress 

Members  of  MIT’s  Theory  of  Distributed  Systems  group  have  continued  their  work  on  modelling, 
designing,  verifying  and  analyzing  distributed  and  real-time  systems.  The  focus  is  on  the  study 
of  “building-blocks”  for  the  construction  of  reliable  and  efficient  systems.  Our  works  falls  into 
three  general  categories:  modelling  and  verification  tools,  algorithms  and  impossibility  results,  and 
applications.  Here,  we  describe  the  progress  briefly.  Sources  for  more  details  are  provided  in  the 
Technical  Report. 

L  Modelling  and  verification  tools 


•  Lynch,  Segala,  Vaandrager  and  Weinberg  have  continued  working  on  their  new  hybrid  I/O 
automaton  (HIOA)  model,  a  mathematical  model  based  on  labelled  transition  systems,  de¬ 
signed  for  reasoning  about  hybrid  (continuous/discrete)  systems.  This  quarter,  the  focus  has 
been  on  “retrofitting”  work  done  previously  using  less  powerful  timed  automaton  models,  so 
that  it  rests  on  the  new  HIOA  model.  We  have  done  this  with  three  sets  of  results  from 
our  hybrid  systems  application  project.  In  addition,  work  has  continued  on  a  full  (TR  and 
journal)  version  of  the  basic  HIOA  model  paper. 

•  Garland  and  Lynch  have  completed  a  preliminary  design  of  a  Larch  interface  language  for 
I/O  automata.  This  language,  together  with  associated  tools,  will  facilitate  reasoning  about 
I/O  automata  using  the  Larch  Prover.  The  language  is  also  intended  for  use  with  other  tools, 
such  as  a  simulator  and  a  model-checker. 

•  Garland  and  Petrov  have  polished  and  revised  Petrov’s  machine  verification,  using  the  Larch 
Prover,  of  the  concurrent  timestamp  system  of  Dolev  and  Shavit. 
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•  Segala  has  continued  work  on  adapting  random  walk  theory  for  reasoning  about  randomized 
distributed  algorithms.  He  has  also  developed  some  new  proof  rules  for  analysis  using  time¬ 
like  complexity  measures,  for  probabilistic  systems.  (Segala  and  Lynch  are  attempting  to 
finish  up  the  PhD  project  of  Anna  Pogosyants,  who  was  killed  in  a  car  crash  in  December. 
This  is  part  of  that  project.) 

11.  Algorithms  and  impossibility  results 


•  Lynch,  Shavit,  Shvartsman,  and  Touitou  have  revised  their  paper  showing  that  many  impor¬ 
tant  classes  of  the  highly  concurrent  data  structures  used  for  counting  and  load  balancing 
exhibit  nearly  linearizable  behavior  for  a  broad  range  of  parameters.  This  paper  characterizes 
the  linearizability  conditions  in  terms  of  a  parameter  that  describes  a  local  property  of  a  low 
level  component,  and  that  does  not  depend  on  the  size  of  the  data  structure.  Their  revised 
paper  will  appear  in  PODC96. 

•  Shavit  has  continued  his  work  on  design  and  analysis  of  efficient  concurrent  data  structures. 
This  work  has  many  pieces,  including  a  project  on  Diffracting  Priority  Queues  (with  Dan 
Touitou  and  Asaph  Zemach),  one  on  Diffracting  Fetch  and  Add  (with  Asaph  Zemach),  one 
on  Reactive  Diffracting  Trees  (with  Giovanni  Della  Libera  -  described  below),  and  one  on 
Positive  Counter  Counting  Networks  and  Applications  (with  Bill  Aiello  and  Maurice  Herlihy). 
In  addition,  he  is  attempting  to  tie  the  area  together  in  a  monograph  on  Concurrent  Data 
Structures,  co-authored  with  Maurice  Herlihy. 

In  particular,  Shavit  and  Della  Libera  have  designed  a  new  version  of  diffracting  trees,  “Re¬ 
active  Diffracting  Trees”,  which  grow  and  shrink  according  to  the  load  on  the  data  structure. 
They  have  obtained  results  showing  that  reactive  diffracting  trees  do  scale  properly. 

•  Shvartsman  is  continuing  the  synthesis  of  the  latest  results  in  the  area  of  parallel  computation 
in  the  presence  of  failures  and  delays  A  monograph  is  in  preparation  with  the  target  completion 
date  this  calendar  year.  It  wiU  be  published  by  Kluwer  Academic.  A  journal  paper  in  this 
area  by  Buss,  KaneUakis,  Ragde  and  Shvartsman  appeared  in  the  Journal  of  Algorithms  [2] 

III.  Applications 

A.  Distributed  system  building  blocks 


•  Fekete,  Gupta,  Luchangco,  Lynch  and  Shvartsman  have  revised  their  paper  on  “eventually 
serializable  data  services”,  including  some  optimizations  of  their  original  algorithm.  Their 
revised  paper  will  appear  in  PODC96. 
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•  Shvartsman  and  Oleg  Cheiner,  an  undergraduate  research  assistant,  have  begun  implementing 
a  prototype  distributed  algorithm  based  on  the  eventually  serializable  data  service  implemen¬ 
tation  described  just  above.  The  prototype  will  be  used  as  a  testbed  for  exploring  algorithm 
optimizations. 

•  Lynch  and  Shvartsman  have  formulated  a  specification  of  a  general-  purpose  processor  group- 
oriented  communication  primitive.  They  are  applying  the  primitive  to  obtain  new  results 
and  extend  previous  results  for  distributed  algorithms,  e.g.,  replicated  read/write  memory. 
A  manuscript  is  in  preparation.  With  De  Frisco  they  are  also  developing  new  and  efficient 
algorithms  for  the  Do-All  problem  of  performing  n  tasks  using  p  message  passing  processors, 
while  maintaining  message  and  work  efficiency.  Another  manuscript  is  in  preparation. 

•  Vaziri  has  nearly  completed  a  proof  of  correctness  of  the  main  algorithm  for  the  main  RAID 
level  5  system.  This  proof  includes  much  reusable  structure,  including  recoverability  conditions 
for  the  operation  graphs  used  in  the  algorithm. 

•  De  Frisco  has  continued  his  work  on  modelling,  improving,  and  verifying  the  practical  Faxos 
algorithm  for  fault-tolerant  distributed  consensus.  The  proof  of  the  main  algorithm  is  nearly 
finished,  but  there  is  work  still  to  be  done  in  the  subsidiary  algorithms  (for  leader  election 
and  failure  detection),  as  well  as  in  applications  of  the  Faxos  algorithm  to  replicated  data 
management  and  distributed  transaction  processing. 

B.  Transit 


•  Weinberg  and  Lynch  have  completed  their  analysis,  using  hybrid  I/O  automata,  invariants 
and  simulation  mappings,  of  a  collection  of  typical  vehicle  deceleration  maneuvers.  These 
appear  in  Weinberg’s  M.S.  thesis. 

•  Lynch,  Weinberg  and  Delisle  have  completed  a  paper  on  modelling  and  analyzing  separate 
vehicle  protection  (VF)  subsystems,  as  used  in  the  Raytheon  Fersonal  Rapid  Transit  project, 
for  the  proceedings  of  the  DIMACS-95  Workshop  on  Hybrid  Systems.  Lynch  has  begun 
working  with  M.Eng.  student  Carl  Livadas  on  extensions  of  this  work  to  handle  more  types 
of  safety  subsystems. 

•  Lynch  has  completed  her  work  on  the  analysis  of  an  acceleration  maneuver,  using  three  levels 
of  abstraction.  She  has  written  a  final  report  for  the  AMAST  Workshop  on  Hybrid  Systems. 

•  Lynch  has  begun  working  with  undergrad  student  Kate  Dolgin  and  postdoc  Mike  Branicky 
on  modular  safety  analysis  for  the  platoon  join  maneuver  of  the  California  FATH  intelligent 
highway  project. 
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C,  Communication 

•  Smith  has  finished  his  formal  verification  of  TCP.  After  finishing  this,  he  started  his  verifica¬ 
tion  of  T/TCP,  using  a  simulation  mapping  to  TCP,  and  discovered  that  it  does  not  implement 
TCP!  He  discovered  a  situation  in  which  T/TCP  delivers  duplicate  data  to  the  user.  He  will 
proceed  on  this  project  by  determining  and  proving  the  weaker  properties  that  T/TCP  does 
in  fact  guarantee,  and  by  considering  whether  the  stronger  properties  are  actually  possible  to 
achieve.  He  will  seek  either  an  improved  model  or  an  impossibility  result. 

D.  Probabilistic  Systems 


•  Lynch  and  Segala  are  working  intensively  to  complete  the  work  by  Pogosyants  and  Segala 
on  modelling  and  proof  of  the  (randomized)  Aspnes-Herlihy  consensus  protocol.  The  safety 
proof  has  been  completed.  There  is  a  good  draft  of  the  proof  of  the  probabilistic  progress 
properties,  but  this  needs  more  work. 


Special  Programs  and  Major  Items  of  Equipment 
None. 

Changes  in  Key  Personnel 

1.  M.S.  student  H.B.  Weinberg  has  finished  his  M.S.  thesis  work  and  has  left  M.I.T. 

2.  M.Eng.  student  Carl  Livadas  has  joined  the  group  to  complete  the  work  on  real-time-systems 
modelling  and  verification  begun  by  H.B.  Weinberg. 

3.  Undergraduate  student  Kate  Dolgin  has  joined  the  group  to  help  with  the  transit  modelling 
project. 


Trips,  Talks  and  Conferences 

1.  Two  meetings  were  held  involving  members  of  our  group  and  Lincoln  Labs  researchers  involved 
in  evaluating  air  traffic  control  and  aircraft  control  systems.  These  were  on  Jan.  19  and  Feb. 
23. 

2.  Lynch  gave  two  invited  addresses  at  the  University  of  Florida,  in  Gainesville,  one  on  dis¬ 
tributed  shared  memory  and  multicast,  and  the  other  on  modelling  automated  transit  sys¬ 
tems.  Both  were  on  Jan.  26. 
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3.  Roberto  Segala  visited  from  Bologna  to  work  with  Lynch  on  probabilistic  system  verification, 
for  two  weeks  in  February. 

4.  Lynch  attended  the  annual  ARPA  Networking  P.L  meeting  in  Charleston,  S.C.,  organized  by 
Gary  Minden,  on  Feb.  25-27.  She  spoke  about  the  general  enterprise  of  defining/ studying 
building  blocks  for  high- assurance  distributed  systems,  and  about  specific  results  on  dis¬ 
tributed  shared  memory  and  multicast,  on  eventually  serializable  data  services,  on  TCP  and 
T/TCP  communication  services,  and  on  counting  networks  and  other  efficient  concurrent 
data  structures. 

5.  Lynch  attended  the  AMAST  Workshop  on  Real-Time  Systems  in  Salt  Lake  City,  Mar.  4-5. 
She  gave  an  invited  address  on  modelling  and  verification  of  transit  systems. 

6.  Lynch  and  Livadas  visited  Raytheon  in  to  discuss  current  designs  of  automated  transit  sys¬ 
tems,  on  Mar.  21. 

7.  Mark  Smith  presented  his  paper  entitled  ’’Formal  Verification  of  TCP”  at  The  Second  Tech¬ 
nical  Conference  on  Telecommunications  R&D  in  Massachusetts,  LoweU,  MA,  in  March. 

8.  Shvartsman  participated  in  the  Information  Survivability- Formal  Methods  PI  Conference  on 
January  16-18,  1996  in  San  Diego,  CA.  He  gave  a  talk  on  research  direction  in  TDS  titled 
’’Theory  of  Distributed  and  Real-Time  Systems”. 

Areas  of  Concern 

None. 

Statement  of  Sufficiency 

The  contractually  prescribed  effort  appears  to  be  sufficient  to  achieve  the  objectives  of  this  contract. 

Degrees  awarded 

1.  H.B.  Weinberg,  M.Eng.  thesis  entitled  “Correctness  of  Vehicle  Control  Systems  -  A  Case 
Study”.  Completed  in  Jan.,  1996. 

Related  Accomplishments 

During  this  reporting  period,  the  following  papers  have  been  submitted  to,  been  accepted  to,  or 

have  appeared  in  journals  and  conference  proceedings: 
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Also,  Lynch’s  book  on  Distributed  Algorithms  appeared  in  print  during  this  reporting  period: 

Nancy  Lynch. 

Distributed  Algorithms, 

Morgan  Kaufmann  Publishers,  Inc.,  San  Mateo,  CA,  March  1996. 

Award:  Undergraduate  student  Tsvetomir  Petrov  became  the  recipient  of  the  first  annual  Anya 
Pogosyants  Undergraduate  Research  Award. 


Sincerely, 


Cecil  H.  Green  Professor 

Electrical  Engineering  and  Computer  Science 

(617)253-7225 

lynchQtheory . Ics .mit . edu 
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MIT  Laboratory  for  Computer  Science 

Applications  of  the  Theory  of  Distributed  Real-Time  Systems 
To  the  Development  of  Large-Scale  Timing-Based  Systems 
Prof.  Nancy  Lynch,  Principal  Investigator 
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